Monitoring improvement program - Retailer

Background

A large retailer with an ever expanding technical environment including multiple disparate networks and wide range of technologies. Their Security Information and Event Management (SIEM) system had undergone little modification since its initial implementation and was unable to detect a variety of activities conducted by one of our teams during a penetration test.

"“Getting data is easy, doing something that is of benefit to us is the tricky part”"
Client CSO

The Challenge

The client had worked with a number of organizations to customize their SIEM system, some improvements had been made, however during penetration testing a wide variety of activities were not detected.

Subsequent review with the SOC highlighted a large number of gaps in where the SIEM was currently receiving data from, and the analysis being conducted.

The CSO and his team agreed that action was needed, however purchasing a new system was out of the question. The problem was exacerbated due to a large outsourcing contract for first line “eyes on glass” monitoring. To maximize the return on that contract the SIEM needed to be working effectively.

The Solution

OccamSec worked with the client’s security team to obtain as much detail as possible on the technologies in place, what data was being collected, how it was being analyzed, and what was being done with it. A number of tabletop exercises were held with business personnel and technical staff to flush out potential issues, and identify the coverage that was being provided to critical assets. 

The potential for the current technology was assessed and OccamSec identified a number of quick wins, the key issue being how the data would be analyzed (most devices will produce some kind of a log file, so getting data from a source is usually not the issue, the problem is how to discern actionable information from it).

Our team helped implement an initial round of modifications. Testing was undertaken to ensure these worked as planned, the process was then repeated.

Ultimately in an 8 week project the client gained a massive improvement in their monitoring capabilities. No new software was purchased, and the transition to the outsource monitoring provider was successful.